From patchwork Tue Jun 12 21:59:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marton Balint X-Patchwork-Id: 9384 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:a02:11c:0:0:0:0:0 with SMTP id c28-v6csp5977627jad; Tue, 12 Jun 2018 14:59:37 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKVs0fO8V1naufKCMsS6jfiG4tKtvwVMU8wK1M1IIFYOqP3/Qhf7Cd1oitXgPV+H/lHASwI X-Received: by 2002:adf:edc6:: with SMTP id v6-v6mr1978768wro.264.1528840777497; Tue, 12 Jun 2018 14:59:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528840777; cv=none; d=google.com; s=arc-20160816; b=Hmen0m5bgPzRtdswcPWG16QwPH5LY/uf3WVAsHsVDVRRAofQBzQWGgQqMk+8/NZtbz mKx0TcDwaSBeiWHEz2rIQuXgrwW9vnEtJM+V8uH0kVwq8zgVbZ2yNvuGtsFz0jLCksvd 4koj/XKbI5v3mdCOsE/12Ylc075nl3s0coBum66n3ynthxXXcaSUfcqIygsA+6EzJr1i vzDhm/FQDECNNRDchSO0ulC34GhbF3TqQo3Hn2p4pQc2m3PyhiIYYUovIFTVSESPEvTp lZkHrkIn6zSbF/3OozNTEK0I93Fg1F0oSYvXJg+1yLeQkJcD2Q+nii5xdHikz2D146kf xm8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:user-agent:references:message-id:in-reply-to:to:from :date:delivered-to:arc-authentication-results; bh=LO4Y3XOcAgqMzuQFHjBO+NoHEPHg+XyPl5EEkXBMMqY=; b=E8uKHJtuPm9qGUMU6olJkXmg5QpHcy5AU2hrrYXc37aAdOhwixVt+ySDN/3h6aF/v2 AG6a2uy1Qotpoog5CqsAeBJuru7LjDlvQQsRmxdz2qoPovEwdNqnSKdV9hDwSOblLrxG hShfZzXjSHqtsdJA5awqLi1adz1mRxAHHgl+WjvaumJqmExNBdkppndWGv0fogK5CN5R qcGKLTYuoJgw2QWBsbDBZ7IFty5uwfvKwLC3teVoQQozCpj59NNxrV2PKmakVZPdPjfu zNxkVYqVHmAVr7GBfQfml6Lc6b9HJZ0NowCzJ+5NrNGMbtw792lT9ZXxpMxJ1eASi4qv UFRg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 7-v6si877075wrs.415.2018.06.12.14.59.36; Tue, 12 Jun 2018 14:59:37 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9B92F68AFCD; Wed, 13 Jun 2018 00:58:45 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from iq.passwd.hu (iq.passwd.hu [217.27.212.140]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6BB9768AF3A for ; Wed, 13 Jun 2018 00:58:39 +0300 (EEST) Received: from localhost (localhost [127.0.0.1]) by iq.passwd.hu (Postfix) with ESMTP id EBFC7E047B for ; Tue, 12 Jun 2018 23:59:28 +0200 (CEST) X-Virus-Scanned: amavisd-new at passwd.hu Received: from iq.passwd.hu ([127.0.0.1]) by localhost (iq.passwd.hu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PR6WARBPi0nq for ; Tue, 12 Jun 2018 23:59:27 +0200 (CEST) Received: from iq (iq [217.27.212.140]) by iq.passwd.hu (Postfix) with ESMTPS id F3115E044B for ; Tue, 12 Jun 2018 23:59:26 +0200 (CEST) Date: Tue, 12 Jun 2018 23:59:26 +0200 (CEST) From: Marton Balint X-X-Sender: cus@iq To: FFmpeg development discussions and patches In-Reply-To: <20180612181758.GH4859@michaelspb> Message-ID: References: <20180610103650.10155-1-cus@passwd.hu> <20180610103650.10155-9-cus@passwd.hu> <20180611230932.GF4859@michaelspb> <20180612181758.GH4859@michaelspb> User-Agent: Alpine 2.20 (LSU 67 2015-01-07) MIME-Version: 1.0 Subject: Re: [FFmpeg-devel] [PATCH 09/12] avformat/mxfdec: add support for clip wrapped essences X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" On Tue, 12 Jun 2018, Michael Niedermayer wrote: > On Tue, Jun 12, 2018 at 10:47:24AM +0200, Marton Balint wrote: >> >> >> On Tue, 12 Jun 2018, Michael Niedermayer wrote: >> >>> On Sun, Jun 10, 2018 at 12:36:47PM +0200, Marton Balint wrote: >>>> Also use common code with opAtom. >>>> >>>> Fixes ticket #2776. >>>> Partially fixes ticket #5671. >>>> Fixes ticket #5866. >>>> >>>> Signed-off-by: Marton Balint >>>> --- >>>> libavformat/mxfdec.c | 281 ++++++++++++++++++++++++--------------------------- >>>> 1 file changed, 130 insertions(+), 151 deletions(-) >>> >>> causes a segfault: >>> >>> ==23735== Invalid read of size 8 >>> ==23735== at 0x75A627: mxf_set_pts (mxfdec.c:3277) >>> ==23735== by 0x75ACAD: mxf_read_packet_old (mxfdec.c:3396) >>> ==23735== by 0x7E099D: ff_read_packet (utils.c:856) >>> ==23735== by 0x7E39FF: read_frame_internal (utils.c:1581) >>> ==23735== by 0x7EB82B: avformat_find_stream_info (utils.c:3773) >>> ==23735== by 0x415534: open_input_file (ffmpeg_opt.c:1091) >>> ==23735== by 0x41EB11: open_files (ffmpeg_opt.c:3206) >>> ==23735== by 0x41ECA3: ffmpeg_parse_options (ffmpeg_opt.c:3246) >>> ==23735== by 0x43D1A3: main (ffmpeg.c:4832) >>> ==23735== Address 0x0 is not stack'd, malloc'd or (recently) free'd >>> ==23735== >>> ==23735== >>> ==23735== Process terminating with default action of signal 11 (SIGSEGV) >>> ==23735== Access not within mapped region at address 0x0 >>> ==23735== at 0x75A627: mxf_set_pts (mxfdec.c:3277) >>> ==23735== by 0x75ACAD: mxf_read_packet_old (mxfdec.c:3396) >>> ==23735== by 0x7E099D: ff_read_packet (utils.c:856) >>> ==23735== by 0x7E39FF: read_frame_internal (utils.c:1581) >>> ==23735== by 0x7EB82B: avformat_find_stream_info (utils.c:3773) >>> ==23735== by 0x415534: open_input_file (ffmpeg_opt.c:1091) >>> ==23735== by 0x41EB11: open_files (ffmpeg_opt.c:3206) >>> ==23735== by 0x41ECA3: ffmpeg_parse_options (ffmpeg_opt.c:3246) >>> ==23735== by 0x43D1A3: main (ffmpeg.c:4832) >>> ==23735== If you believe this happened as a result of a stack >>> ==23735== overflow in your program's main thread (unlikely but >>> ==23735== possible), you can try to increase the size of the >>> ==23735== main thread stack using the --main-stacksize= flag. >>> ==23735== The main thread stack size used in this run was 8388608. >> >> I don't see this. What is your command line? > > testcase sent privatly index_table->nb_ptses was negative, but that did not cause problems before the patch, because the comparison to nb_ptses was signed, after the patch it became unsigned. It is better to explicitly disallow a negative nb_ptses, please apply the attached patch before this one, you should be good. Thanks, Marton From c3f9e8442fe66f474466d769f44f782532eacb82 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Tue, 12 Jun 2018 23:42:16 +0200 Subject: [PATCH] avformat/mxfdec: avoid index_table->nb_ptses overflow in mxf_compute_ptses_fake_index Signed-off-by: Marton Balint --- libavformat/mxfdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 32ca9e0f99..b2930087ab 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1528,6 +1528,12 @@ static int mxf_compute_ptses_fake_index(MXFContext *mxf, MXFIndexTable *index_ta return 0; /* no TemporalOffsets */ } + if (s->index_duration > INT_MAX - index_table->nb_ptses) { + index_table->nb_ptses = 0; + av_log(mxf->fc, AV_LOG_ERROR, "ignoring IndexSID %d, duration is too large\n", s->index_sid); + return 0; + } + index_table->nb_ptses += s->index_duration; } -- 2.16.4