From patchwork Sat May 7 09:36:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aman Karmani X-Patchwork-Id: 35624 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:a885:b0:7f:4be2:bd17 with SMTP id ca5csp2088422pzb; Sat, 7 May 2022 02:37:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxQ7r5YQwCQ1taedc++hCuvCQw19lfP4/Vpn354IfS370N6oBdjOr8QczqF0JwRhWxdPghf X-Received: by 2002:a05:6402:26d3:b0:427:c57f:5333 with SMTP id x19-20020a05640226d300b00427c57f5333mr7832583edd.61.1651916230706; Sat, 07 May 2022 02:37:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651916230; cv=none; d=google.com; s=arc-20160816; b=WpA46EZFtnHrlaz2jDzkwXyo5P3V1d1WpKYC/TTc/aYHjmOVM/CghOV6jA8tdmy2bP lb73bd9rzFJM42TucSsic3sKObzyATK3fjcVZEW/Ki1IFbvhoEt9P4VkYAyasRsgnV3R 5/FSrF6Yh+nHYGSgonc1JbkdMpQrMzumzkagMDwQnT7RcWtMNLCXy4JuMod0ycLkJG89 a4DFPZFSGaRj8Knw9kDInmqLhl85AGuJLbFqQLoaZgh/Km6WXMw1WRzfrZugHljftfos FhqaFdEaOjYuAkAj9LahpyFSoaOfEpDhU0rGgWh22PEw2ZRJzcAVXrHfE5/zfwyjA+CO Usxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:to:mime-version:fcc:date:references :in-reply-to:message-id:from:dkim-signature:delivered-to; bh=PpxzbBTCPS9BrUbYxTtc+Yn09uEhW1HRwPrybOt3PRE=; b=xGjnoxTCE0gYuCXtfnLArJjGfXWyxtOmJGzYTKNwkIwr+rN+L/sAhp5sprgqOtcc0q A3wwAn2JYHLjkcop7nSfQI4GP1vItKMaM5z7isCkq4gnby1HYyAGRxar7wiKIaqj8YJc R9uj1TVvxFsJ4zoJ5c5+Vja+rIEncoY0FQIuhHXlw7ir5roOmhhD7y6mfCikqmRH+ZSt C2XsmvQDkBZqYxnc3I4XTeDXzJOj8jCPKIkE6iFTCpZb9Tt7uGXWj/akIp4r+aogQSwe tVcTelTPfFpzNiRcNIdB05ZpypHmkNCTBknImUy6ekL/X3segBYoKKvSqry2v/GHgu4M 7ozg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=l+QQep1b; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id y16-20020a056402359000b00427d25a0a63si7887893edc.490.2022.05.07.02.37.10; Sat, 07 May 2022 02:37:10 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=l+QQep1b; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1D49268B37A; Sat, 7 May 2022 12:36:57 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E376168B245 for ; Sat, 7 May 2022 12:36:49 +0300 (EEST) Received: by mail-pj1-f45.google.com with SMTP id cq17-20020a17090af99100b001dc0386cd8fso8828658pjb.5 for ; Sat, 07 May 2022 02:36:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:message-id:in-reply-to:references:date:subject:fcc :content-transfer-encoding:mime-version:to:cc; bh=54bqGG59F37B0hqStdMsdz/6vvlAtcmJKBjIPU0vgvI=; b=l+QQep1b8FXja1hf1kFo++nnvKVnm/dfNeSxBmcX8gt5DkUFkaVct1mQUjLEIatTlx yzaxfrdniOGQ75Qa8YoA0xrW9KBSPMWUrGRZiDiCd6wRZOPY9nqFW6IWtgxKXVUct52e Xzif9H0rio2WmLDSuItT6UDuCIT5lVMov6cL19Fr35AhcqxikQYq7+wDIB/D9aE0gZ9j nXweYLphXV9K2ZAWu+QBnyjJI7VcWmEF2DMt8+fCwZ5MNat8MHhFEqI+znGHd7NqR8ei 1zpgOqsrCD0r5R41h+LEJ+Xy+fvnqfe+98Svy5THmobaGya/7VJrFfw9ZxkXmH5vqUgL 4e9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:in-reply-to:references:date :subject:fcc:content-transfer-encoding:mime-version:to:cc; bh=54bqGG59F37B0hqStdMsdz/6vvlAtcmJKBjIPU0vgvI=; b=uZfMdTRGrD2hC3omwwkAXUZXEHdyMTPRK6qv6AvF02nFcIVIfaWps04Z6DTpl9ApL4 eqE8lKas5/0RLJliSQhDaNGHxjlRtczANn0o9XVCYGkjxWu9t6ZfJexJBxg625KhnXDo w/LkTxgD2TCVM9hbcNuU41RxigllhZ6sqo4Ex7Qe+SoMTqY3lEGxjDyhEbt4x++dVdzj +XRj1JcgAcBOcvxh0amNMy9zftoJQ7BH0+cdEoOiO544efJZ14et3eYXDvueCroXBchv AdJ6ig0eA9dG7eRXGpijLZSFgocb7RL8uWIS4EtTxyXyj8vJcCQn84FMbCXbeY4tXm/z Oz5g== X-Gm-Message-State: AOAM530dQy0U7bWKBva2RvYXEcv8k4qbeQu9vmFyM1qWuHZ2pxmsa3WB EVu0dFFwaljoI29WztLZkpveg1EvYNHGKg== X-Received: by 2002:a17:902:b596:b0:158:f23a:c789 with SMTP id a22-20020a170902b59600b00158f23ac789mr7674838pls.57.1651916208083; Sat, 07 May 2022 02:36:48 -0700 (PDT) Received: from [127.0.0.1] (master.gitmailbox.com. [34.83.118.50]) by smtp.gmail.com with ESMTPSA id d15-20020a170902b70f00b0015ea0a679ddsm3234008pls.251.2022.05.07.02.36.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 07 May 2022 02:36:47 -0700 (PDT) From: softworkz X-Google-Original-From: softworkz Message-Id: <0056a93a347829e72cd6d09d48062978ca4ac6e0.1651916204.git.ffmpegagent@gmail.com> In-Reply-To: References: Date: Sat, 07 May 2022 09:36:34 +0000 Fcc: Sent MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Subject: [FFmpeg-devel] [PATCH v2 01/11] libavformat/asf: fix handling of byte array length values X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: softworkz Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: kP6hLpMAbaR8 From: softworkz The spec allows attachment sizes of up to UINT32_MAX while we can handle only sizes up to INT32_MAX (in downstream code) The debug.assert in get_tag didn't really address this, and truncating the value_len in calling methods cannot be used because the length value is required in order to continue parsing. This adds a check with log message in ff_asf_handle_byte_array to handle those (rare) cases. Signed-off-by: softworkz --- libavformat/asf.c | 12 +++++++++--- libavformat/asf.h | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/asf.c b/libavformat/asf.c index 1ac8b5f078..179b66a2b4 100644 --- a/libavformat/asf.c +++ b/libavformat/asf.c @@ -267,12 +267,18 @@ static int get_id3_tag(AVFormatContext *s, int len) } int ff_asf_handle_byte_array(AVFormatContext *s, const char *name, - int val_len) + uint32_t val_len) { + if (val_len > INT32_MAX) { + av_log(s, AV_LOG_VERBOSE, "Unable to handle byte arrays > INT32_MAX in tag %s.\n", name); + return 1; + } + if (!strcmp(name, "WM/Picture")) // handle cover art - return asf_read_picture(s, val_len); + return asf_read_picture(s, (int)val_len); else if (!strcmp(name, "ID3")) // handle ID3 tag - return get_id3_tag(s, val_len); + return get_id3_tag(s, (int)val_len); + av_log(s, AV_LOG_VERBOSE, "Unsupported byte array in tag %s.\n", name); return 1; } diff --git a/libavformat/asf.h b/libavformat/asf.h index 01cc4f7a46..4d28560f56 100644 --- a/libavformat/asf.h +++ b/libavformat/asf.h @@ -111,7 +111,7 @@ extern const AVMetadataConv ff_asf_metadata_conv[]; * is unsupported by this function and 0 otherwise. */ int ff_asf_handle_byte_array(AVFormatContext *s, const char *name, - int val_len); + uint32_t val_len); #define ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT 0x80 //1000 0000