From patchwork Fri Apr 19 13:00:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olivier Maignial X-Patchwork-Id: 12811 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id BD23B449279 for ; Fri, 19 Apr 2019 16:06:31 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A084168A8F3; Fri, 19 Apr 2019 16:06:31 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f68.google.com (mail-wr1-f68.google.com [209.85.221.68]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6999C6805ED for ; Fri, 19 Apr 2019 16:06:24 +0300 (EEST) Received: by mail-wr1-f68.google.com with SMTP id j9so6900876wrn.6 for ; Fri, 19 Apr 2019 06:06:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile-fr.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=L7EIWinLHrCBlEKrZK4zjs0QUASshseD7DDpuTr467I=; b=U6gKwiUROhEMsboLsp/y127jHDxO/RsuxrElE27iCUp6mbEsDDVYRNvKIrAtREiqf3 5frofqhhMhge+DlIJR0WBvQIiN6HKVtrEBbUkt0dAVhH7Ia0TlsugN/H9PqE+WqG0kjM RXGvSeqKl4yuDyQhS6cF6ha2tvxJY5gNEMj1xpZDIL49r6A2urScrI4nk19r3mptVwdF Ew1aZqFSHwmY5vsZvvtnMC+lrpoC/zU6U3bSxoU+kZuROY/xbN4FsZL6gcVVWMUCAOTn 0Ph+aDxevrVg9Wlmn0t6NWFZhiqL5iikZmKSMeU6166OGemaV3XkVf5yeIaTN9w+HMR6 Nm7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=L7EIWinLHrCBlEKrZK4zjs0QUASshseD7DDpuTr467I=; b=pfyBJdjtGbm42G3qfQAi5YwxzsZ3Avqg+iehrUN6a7bqXYmROc8sPLkvcQhl8s2sKn OcASif2TQ9e4qbhc2cXoD1wovlsfwXE+ntK/z4/uaQjTeYuwXMRfnjfdo5snazrCt7oE kPv8o0wZ3eOtqzE/mebZS3iKIz9PqBpufHkNdx/adclkU5zxD8LY3xnGi383iC38YxfL XYlhPCWqiYRmdhkhQrnTrCh2gsBps2yZO66vM/zFh3LBtl5EIyvYtYAVN0SMSXW7RquV jq5HkYgC/p4HSHSbCdnXVmyHYKedggKnjdkKx489ojBQeA9YInVECh2khmxjOaZhLn03 LBlQ== X-Gm-Message-State: APjAAAVKIZN/9SIl5CFIJV4+NHf7WYjxB1voMRAG2N0+/SC4wu61A2Wk rxsY7r+6mO//zwyE7Y9mng/PscYdHvs= X-Google-Smtp-Source: APXvYqyDIUh6/1EfGBbOn4mjbtm6/mJ98tUESdIkMH1fDE8XC6Vxnw8OuOl5TJ5pJ31zzQ1wj20NUg== X-Received: by 2002:a05:6000:1292:: with SMTP id f18mr2954714wrx.115.1555678818848; Fri, 19 Apr 2019 06:00:18 -0700 (PDT) Received: from P-TLS-SASUKE-OLMAI.tagtec.fr (myfox-157-50.fib.nerim.net. [194.79.157.50]) by smtp.gmail.com with ESMTPSA id q4sm5745666wrx.25.2019.04.19.06.00.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 19 Apr 2019 06:00:18 -0700 (PDT) From: Olivier Maignial To: ffmpeg-devel@ffmpeg.org Date: Fri, 19 Apr 2019 15:00:10 +0200 Message-Id: <1555678810-859-1-git-send-email-olivier.maignial@smile.fr> X-Mailer: git-send-email 2.7.4 Subject: [FFmpeg-devel] [PATCH v3] Fix sdp size check on fmtp integer parameters X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Olivier Maignial MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" RFC-4566 do not give any limit of size on interger parameters given in fmtp line. By reading some more RFCs it is possible to find examples where some integers parameters are greater than 32 (see RFC-6416, 7.4) Instead I propose to check just check the eventual integer overflow. Using INT_MIN and INT_MAX ensure that it will work whatever the size of int given by compiler Signed-off-by: Olivier Maignial --- Changes v2 -> v3: Fix over/underflow checking in case of sizeof(int) == sizeof(long) If MAX/MIN_INT == MAX/MIN_LONG overflow would not be detected by just checking value is in range [MAX_INT,MIN_INT]. In case of over/underflow strtol return MAX/MIN_LONG and set errno to ERANGE. As MAX/MIN_LONG are valid values, the only way to detect over/underflow is to check errno. libavformat/rtpdec_mpeg4.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c index 4f70599..d40cb5a 100644 --- a/libavformat/rtpdec_mpeg4.c +++ b/libavformat/rtpdec_mpeg4.c @@ -289,15 +289,33 @@ static int parse_fmtp(AVFormatContext *s, for (i = 0; attr_names[i].str; ++i) { if (!av_strcasecmp(attr, attr_names[i].str)) { if (attr_names[i].type == ATTR_NAME_TYPE_INT) { - int val = atoi(value); - if (val > 32) { + char *end_ptr = NULL; + errno = 0; + long int val = strtol(value, &end_ptr, 10); + if (value[0] == '\n' || end_ptr[0] != '\0') { av_log(s, AV_LOG_ERROR, - "The %s field size is invalid (%d)\n", - attr, val); + "The %s field value is not a number (%s)\n", + attr, value); return AVERROR_INVALIDDATA; } + if ((val == LONG_MAX && errno == ERANGE) || + val > INT_MAX) { + av_log(s, AV_LOG_ERROR, + "Value of field %s overflow maximum integer value.\n", + attr); + return AVERROR_INVALIDDATA; + } + if ((val == LONG_MIN && errno == ERANGE) || + val < INT_MIN) + { + av_log(s, AV_LOG_ERROR, + "Value of field %s underflow minimum integer value.\n", + attr); + return AVERROR_INVALIDDATA; + } + *(int *)((char *)data+ - attr_names[i].offset) = val; + attr_names[i].offset) = (int) val; } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) { char *val = av_strdup(value); if (!val)