mbox series

[FFmpeg-devel,v4,00/10] libavformat/asf: fix handling of byte array length values

Message ID pull.12.v4.ffstaging.FFmpeg.1652561722.ffmpegagent@gmail.com
Headers show
Series libavformat/asf: fix handling of byte array length values | expand

Message

Aman Karmani May 14, 2022, 8:55 p.m. UTC 
The spec allows attachment sizes of up to UINT32_MAX while we can handle
only sizes up to INT32_MAX (in downstream code)

The debug.assert in get_tag didn't really address this, and truncating the
value_len in calling methods cannot be used because the length value is
required in order to continue parsing. This adds a check with log message in
ff_asf_handle_byte_array to handle those (rare) cases.

v2: Rebased & PING v3: Adjustments suggested by Michael v4: 1 of 11 merged,
10 to go..

softworkz (10):
  libavformat/asf: fix handling of byte array length values
  libavformat/asfdec: fix get_value return type and add checks for
  libavformat/asfdec: fix type of value_len
  libavformat/asfdec: fixing get_tag
  libavformat/asfdec: implement parsing of GUID values
  libavformat/asfdec: fix macro definition and use
  libavformat/asfdec: remove variable redefinition in inner scope
  libavformat/asfdec: ensure variables are initialized
  libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
  libavformat/asfdec: fix variable types and add checks for unsupported
    values

 libavformat/asf.c      |   8 +-
 libavformat/asf.h      |   2 +-
 libavformat/asfdec_f.c | 338 +++++++++++++++++++++++++++--------------
 3 files changed, 229 insertions(+), 119 deletions(-)


base-commit: e6f0cec88041449475f37b82b76699d2f7b5b124
Published-As: https://github.com/ffstaging/FFmpeg/releases/tag/pr-ffstaging-12%2Fsoftworkz%2Fmaster-upstream_asf_4-v4
Fetch-It-Via: git fetch https://github.com/ffstaging/FFmpeg pr-ffstaging-12/softworkz/master-upstream_asf_4-v4
Pull-Request: https://github.com/ffstaging/FFmpeg/pull/12

Range-diff vs v3:

  1:  b5c56bf5d0 =  1:  60966b7907 libavformat/asf: fix handling of byte array length values
  2:  e6aa0fb7f3 !  2:  5acab7b52b libavformat/asfdec: fix get_value return type and add checks for
     @@ libavformat/asfdec_f.c: static int asf_probe(const AVProbeData *pd)
       {
           switch (type) {
           case ASF_BOOL:
     -@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
     +@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s)
       {
           AVIOContext *pb = s->pb;
           ASFContext *asf = s->priv_data;
     @@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s,
           int desc_count, i, ret;
       
           desc_count = avio_rl16(pb);
     -@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s, int64_t size)
     +@@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s)
               /* My sample has that stream set to 0 maybe that mean the container.
                * ASF stream count starts at 1. I am using 0 to the container value
                * since it's unused. */
     @@ libavformat/asfdec_f.c: static int asf_read_ext_content_desc(AVFormatContext *s,
           return 0;
       }
       
     -@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s, int64_t size)
     +@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s)
       {
           AVIOContext *pb = s->pb;
           ASFContext *asf = s->priv_data;
     @@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s, int64_t
           int n, stream_num, name_len_utf16, name_len_utf8, value_len;
           int ret, i;
           n = avio_rl16(pb);
     -@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s, int64_t size)
     +@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s)
               av_log(s, AV_LOG_TRACE, "%d stream %d name_len %2d type %d len %4d <%s>\n",
                       i, stream_num, name_len_utf16, value_type, value_len, name);
       
  3:  b84474d729 !  3:  97e0d765c9 libavformat/asfdec: fix type of value_len
     @@ libavformat/asfdec_f.c: static uint64_t get_value(AVIOContext *pb, int type, int
       {
           ASFContext *asf = s->priv_data;
           char *value = NULL;
     -@@ libavformat/asfdec_f.c: static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size)
     - static int asf_read_content_desc(AVFormatContext *s, int64_t size)
     +@@ libavformat/asfdec_f.c: static int asf_read_ext_stream_properties(AVFormatContext *s)
     + static int asf_read_content_desc(AVFormatContext *s)
       {
           AVIOContext *pb = s->pb;
      -    int len1, len2, len3, len4, len5;
     @@ libavformat/asfdec_f.c: static int asf_read_ext_stream_properties(AVFormatContex
       
           len1 = avio_rl16(pb);
           len2 = avio_rl16(pb);
     -@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s, int64_t size)
     +@@ libavformat/asfdec_f.c: static int asf_read_metadata(AVFormatContext *s)
           ASFContext *asf = s->priv_data;
           uint64_t dar_num[128] = {0};
           uint64_t dar_den[128] = {0};
  4:  a54feb51a1 =  4:  025123f72d libavformat/asfdec: fixing get_tag
  5:  e14beb2c15 =  5:  2d01e4dff5 libavformat/asfdec: implement parsing of GUID values
  6:  06062da88b <  -:  ---------- libavformat/asfdec: remove unused parameters
  7:  273823a5b4 =  6:  33b3d163df libavformat/asfdec: fix macro definition and use
  8:  aaa37aca21 =  7:  1509b83f47 libavformat/asfdec: remove variable redefinition in inner scope
  9:  6aedb68b76 =  8:  fd31b0be2e libavformat/asfdec: ensure variables are initialized
 10:  28ebbe7289 =  9:  f8728b1c51 libavformat/asfdec: fix parameter type in asf_read_stream_propertie()
 11:  bbeee5f2da = 10:  78ed5aeb38 libavformat/asfdec: fix variable types and add checks for unsupported values