From patchwork Tue Jul  3 21:05:25 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 9601
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 2002:a02:104:0:0:0:0:0 with SMTP id c4-v6csp58390jad;
	Tue, 3 Jul 2018 14:06:33 -0700 (PDT)
X-Google-Smtp-Source: 
 AAOMgpegqAz5c9y+JlWpdmy5MUAMLcUV4pl8MHZBSkm9DGt5k2xVE9At1/CHJopJUHnpzjaeN83a
X-Received: by 2002:a1c:f415:: with SMTP id
	z21-v6mr11423338wma.80.1530651993861;
	Tue, 03 Jul 2018 14:06:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530651993; cv=none;
	d=google.com; s=arc-20160816;
	b=UDzNr1kQEWA2vdQ2A5gCjvtUVMT3kG41WypTVpgr0qCQepa8JStCKgnoSzc01m0W2T
	e8SqWCA0zmeU3ryo/EsPKqky3mjg0qQ9gGIJO0DzOe+kl1NN178ftEOwQyoYBl93y8CG
	4hi+srznqz13aKG1KyTnsO4yBq0JFwgFb0KNTG0m1X3fSf30ONuJg/jqb47kaDOCJVkn
	xDmDywc1/87BqwvxXYFWymAMSPsIWwnOySPXBUWvy7UBdbl6mfnluAXkY3gOSBM94BlW
	WbLU6YrslDIpjfnzqUseZPH/EAmVnGHG1QqFBCm2EmjTYPjEkyFz6wyfGOkiGDEvIr5p
	RzLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:delivered-to
	:arc-authentication-results;
	bh=DqnZ66pL5kPu7yIKy/2nFcrCRYHRKwR/itaKcG67/qU=;
	b=lD2TSySheU4HLCoQGIJVIUX+Y3zkIS09owYhqYq9Eqy540xKM0VeSxahzO/4wCptHT
	dzO0IoSdVqJGI2hYYSf75w8YcKZJ6W53FpXSK0FX6ChcG2US0aKC4MATsRbaNOq1Agac
	bNo11CS4AywtFaOEO6NPxCaKfRr4nfbgojQfNHDFOhIOR/fwb/PtQC+6GNNZ38LtgrLY
	1OQDAf1sQ+N537tl82qWcEEqVycSsKUSLMSVBmP86sPqXaJZH607wtvKGHjeBcKxWe0E
	Fx3VxOSg+qsDrbe/D6rbirGDEuo7IaTQar5vyVjIwMSlyCf++LH0DTnq7eR3WvXyLXyF
	/ccw==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	b128-v6si1511478wme.225.2018.07.03.14.06.33;
	Tue, 03 Jul 2018 14:06:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 74A8568A947;
	Wed,  4 Jul 2018 00:06:27 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe07-2.mx.upcmail.net
	(vie01a-dmta-pe07-2.mx.upcmail.net [84.116.36.18])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3501368A8D4
	for <ffmpeg-devel@ffmpeg.org>; Wed,  4 Jul 2018 00:06:21 +0300 (EEST)
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe07.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1faSVE-0000RK-Kq
	for ffmpeg-devel@ffmpeg.org; Tue, 03 Jul 2018 23:06:24 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id 6M6L1y00r0S5wYM01M6Myp; Tue, 03 Jul 2018 23:06:21 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue,  3 Jul 2018 23:05:25 +0200
Message-Id: <20180703210530.7493-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.18.0
Subject: [FFmpeg-devel] [PATCH 1/6] avformat/mms: Add missing chunksize check
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: out of array read
Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mms.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/mms.c b/libavformat/mms.c
index 17fa76a8d4..036046dc37 100644
--- a/libavformat/mms.c
+++ b/libavformat/mms.c
@@ -143,6 +143,12 @@ int ff_mms_asf_header_parser(MMSContext *mms)
             }
         } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) {
             chunksize = 46; // see references [2] section 3.4. This should be set 46.
+            if (chunksize > end - p) {
+                av_log(NULL, AV_LOG_ERROR,
+                    "Corrupt stream (header chunksize %"PRId64" is invalid)\n",
+                    chunksize);
+                return AVERROR_INVALIDDATA;
+            }
         }
         p += chunksize;
     }