From patchwork Thu Apr 20 14:02:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Derek Buitenhuis X-Patchwork-Id: 3451 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.3.129 with SMTP id 123csp817395vsd; Thu, 20 Apr 2017 07:03:35 -0700 (PDT) X-Received: by 10.28.178.17 with SMTP id b17mr3230820wmf.23.1492697015401; Thu, 20 Apr 2017 07:03:35 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id y93si9257336wrc.2.2017.04.20.07.03.34; Thu, 20 Apr 2017 07:03:35 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 748616898C0; Thu, 20 Apr 2017 17:03:22 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm0-f65.google.com (mail-wm0-f65.google.com [74.125.82.65]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5C3A16883B7 for ; Thu, 20 Apr 2017 17:03:16 +0300 (EEST) Received: by mail-wm0-f65.google.com with SMTP id z129so11057579wmb.1 for ; Thu, 20 Apr 2017 07:03:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=5eWONUB/+J/Elp1EPZRtT3TAWe717Q9SrlGQdJ4Fv1s=; b=WgCdNVVJKNqGf9oi22A9MsAe+/sdFCo8caR9A8KtuoebtXKV/yQELl1rBU3rCQtd6h eQBDns5smmM3tp7e/v7K4lmfCmgKhd93z4v0El1xPHqaFIB7ArzIZstvsao4fjdlCuDv G/VRpUqP1gyDywUcn2Azj0N2OhHoOxLh7cbzpu8okpwQ9lsGbg/kUfgBNRW7nGnhmNRv yO6JM5QnxEWmOWyXhPaOkMTFcx+bds60Jp+HfE0DE+C4aYYwmdHXBVTU7jdTpCOCaE7C 4DIDQM2oZYXyQXLWz6A16bMirGSMIJmfK+tWp/RHOnfdzthdo5iCZCdCk7keAdIfTcXs 53bg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=5eWONUB/+J/Elp1EPZRtT3TAWe717Q9SrlGQdJ4Fv1s=; b=tTK2jRTXKMNoy7/K2ANU7JgB5rgZgmyNhrLjqsr7CyA9hY/u7NAED4t5vO1Tfv9B3S 3u4XOeg2K2kcbUiDMO2Lb7LYsYOfgwv9f0JEGmyHojfIT6elPkvR7SpVWCCJfTD0j+OO RlSlWd+0QNMFDGuDepArtlBxYqQs6JCeQ1hRwksSOgPEBxIc8GD3728NeVvQqk33FWp7 1bwMZbKkYfXwVsHiJesvqPtu+tyCJ66om57kLQRramTGoGG/rc3BXQTin2duQP12n9U8 NwYAdXVYg0R6f1k/wNrGF3AHHW870Dtd3aXUGkReBYBWWb+IWCB24bye+F1539m+ULzM O2uw== X-Gm-Message-State: AN3rC/6trt70vCIWuG/nEI8QrkXUR8YdBir3FU0/hM7s0qNFV29DeaZR 91MOatQROghH5A== X-Received: by 10.28.58.21 with SMTP id h21mr3377599wma.9.1492697005045; Thu, 20 Apr 2017 07:03:25 -0700 (PDT) Received: from vimeo-vm.localdomain ([82.129.105.223]) by smtp.googlemail.com with ESMTPSA id b10sm23712728wme.22.2017.04.20.07.03.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Apr 2017 07:03:24 -0700 (PDT) From: Derek Buitenhuis To: ffmpeg-devel@ffmpeg.org Date: Thu, 20 Apr 2017 15:02:54 +0100 Message-Id: <1492696974-38350-1-git-send-email-derek.buitenhuis@gmail.com> X-Mailer: git-send-email 1.8.3.1 Subject: [FFmpeg-devel] [PATCH] webm_dash_manifest_demuxer: Fix UB in cue timestamp string code and make it actually work X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The original author apparently never read the documentation for snprintf, or even tested that the output was correct. Passing overlapping memory to snprintf causes undefined behavior, and usually resulted in only the very last timestamp being written to metadata, and not a list at all. Signed-off-by: Derek Buitenhuis --- libavformat/matroskadec.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 9adca8d..320d8bf 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3823,6 +3823,7 @@ static int webm_dash_manifest_cues(AVFormatContext *s) char *buf; int64_t cues_start = -1, cues_end = -1, before_pos, bandwidth; int i; + int end = 0; // determine cues start and end positions for (i = 0; i < seekhead_list->nb_elem; i++) @@ -3868,10 +3869,17 @@ static int webm_dash_manifest_cues(AVFormatContext *s) if (!buf) return -1; strcpy(buf, ""); for (i = 0; i < s->streams[0]->nb_index_entries; i++) { - snprintf(buf, (i + 1) * 20 * sizeof(char), - "%s%" PRId64, buf, s->streams[0]->index_entries[i].timestamp); - if (i != s->streams[0]->nb_index_entries - 1) + int ret = snprintf(buf + end, 20 * sizeof(char), + "%" PRId64, s->streams[0]->index_entries[i].timestamp); + if (ret <= 0 || (ret == 20 && i == s->streams[0]->nb_index_entries - 1)) { + av_log(s, AV_LOG_ERROR, "timestamp too long.\n"); + return AVERROR_INVALIDDATA; + } + end += ret; + if (i != s->streams[0]->nb_index_entries - 1) { strncat(buf, ",", sizeof(char)); + end++; + } } av_dict_set(&s->streams[0]->metadata, CUE_TIMESTAMPS, buf, 0); av_free(buf);