From patchwork Thu Apr 20 12:14:43 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Derek Buitenhuis <derek.buitenhuis@gmail.com>
X-Patchwork-Id: 3449
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.3.129 with SMTP id 123csp772438vsd;
	Thu, 20 Apr 2017 05:21:10 -0700 (PDT)
X-Received: by 10.28.59.69 with SMTP id i66mr2822902wma.42.1492690869991;
	Thu, 20 Apr 2017 05:21:09 -0700 (PDT)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id j17si8867545wre.70.2017.04.20.05.21.05;
	Thu, 20 Apr 2017 05:21:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@gmail.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id AB3656898AF;
	Thu, 20 Apr 2017 15:20:52 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wm0-f65.google.com (mail-wm0-f65.google.com
	[74.125.82.65])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E438C689753
	for <ffmpeg-devel@ffmpeg.org>; Thu, 20 Apr 2017 15:20:45 +0300 (EEST)
Received: by mail-wm0-f65.google.com with SMTP id o81so10473575wmb.0
	for <ffmpeg-devel@ffmpeg.org>; Thu, 20 Apr 2017 05:20:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:subject:date:message-id:in-reply-to:references;
	bh=Lv1l5L3Non5D/YyWaR7713N+SoQMLaXuldHaNFVcSzg=;
	b=KuIsbmj5efBtY2aMWDVMviW8MIWBWdCxJ1XDHr5OwsUEiGqr8pwwhQQ1DpBrG+SL2T
	jw6xP4jxiyHLKALfio9uUzMn+EE0vPlC7rev6/TjSnTT6TFhXFhhqeUoH3yA1MBFC7IS
	FGipz4IZ+KM7wgIoeroqhr65r6XAzZvSm+sowiaaQamSh6W2APo22xi6xyEPbNeSNPeb
	/kITlbnHdWAOXF3SURcOBM+wDb5PuuNc0a7hgmRz+Mwz6AaB5faX1xss5erDaEE6hgla
	mR/KSazY/rNH4ymBbxpJxaJsJJqbSFZR22XRF9oZRAebzlygD1VHVegL3X5LjQXyMTjp
	2Wtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=Lv1l5L3Non5D/YyWaR7713N+SoQMLaXuldHaNFVcSzg=;
	b=nLPnu8G6n8zr0adez+s598YZ7L3ythsVpqHsB9I/8hqbRNN2CvVd4mQoEdnI8FznIj
	V7krpleBfQyNKS7esYnqPisN71x7Pt3/uBlsg6Ak9Ey32dxMGA31d3y6JI7ohZgyFiq/
	2ZPgZqb7mq8VgQ1tU6t+bH9mv97KRmndUWKvs1mMVU6lSVXbvaVC5/xt960ArGiGTT/2
	8mnJe6N10dO6CJKtmeoA0JTnhegSmvLaPcNjSwHhAbSN7mhttQsgwYwqHgHQ5Rii6Nfd
	tTWkpXoJ3AfxX67Qiapo3AC6CmgIEJa2qbrkw5HI9zJdzJxHc51JgICZreWJpTgiwOGs
	e/mg==
X-Gm-Message-State: AN3rC/486Vqxf+BFUul0fWBLfFankqd9iDeaE12agim05ZWXYnzHvZ/I
	7njEzjZxQLceiQ==
X-Received: by 10.28.48.16 with SMTP id w16mr2789400wmw.10.1492690519386;
	Thu, 20 Apr 2017 05:15:19 -0700 (PDT)
Received: from vimeo-vm.localdomain ([82.129.105.223])
	by smtp.googlemail.com with ESMTPSA id
	d8sm26754ede.65.2017.04.20.05.15.18
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 20 Apr 2017 05:15:18 -0700 (PDT)
From: Derek Buitenhuis <derek.buitenhuis@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu, 20 Apr 2017 13:14:43 +0100
Message-Id: <1492690483-37511-3-git-send-email-derek.buitenhuis@gmail.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1492690483-37511-1-git-send-email-derek.buitenhuis@gmail.com>
References: <1492690483-37511-1-git-send-email-derek.buitenhuis@gmail.com>
Subject: [FFmpeg-devel] [PATCH 2/2] webmdashenc: Validate the 'streams'
	adaptation sets parameter
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

It should not be a value larger than the number of streams we have,
or it will cause invalid reads and/or SIGSEGV.

Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
---
 libavformat/webmdashenc.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c
index 2f5c31e..5025cc1 100644
--- a/libavformat/webmdashenc.c
+++ b/libavformat/webmdashenc.c
@@ -467,7 +467,12 @@ static int parse_adaptation_sets(AVFormatContext *s)
             if (as->streams == NULL)
                 return AVERROR(ENOMEM);
             as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1);
-            if (as->streams[as->nb_streams - 1] < 0) return -1;
+            if (as->streams[as->nb_streams - 1] < 0 ||
+                as->streams[as->nb_streams - 1] >= as->nb_streams ||
+                as->streams[as->nb_streams - 1] >= s->nb_streams) {
+                av_log(s, AV_LOG_ERROR, "Invalid value for 'streams' in adapation_sets.\n");
+                return AVERROR_INVALIDDATA;
+            }
             if (*q == '\0') break;
             if (*q == ' ') state = new_set;
             p = ++q;