From patchwork Mon Jul 24 12:27:05 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: foo86 X-Patchwork-Id: 4433 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.1.76 with SMTP id 73csp4197962vsb; Mon, 24 Jul 2017 05:29:18 -0700 (PDT) X-Received: by 10.28.99.11 with SMTP id x11mr4396577wmb.164.1500899358152; Mon, 24 Jul 2017 05:29:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1500899358; cv=none; d=google.com; s=arc-20160816; b=lGuDu0s3i16wjm5qo2uJIVmHUhNgbTAK6m7V/4d9i3f5s8Lij16SODxQDRASGYVal9 NIsDNfhnYg4BU6/1sBE0CrsL9kVoaaejhLumcdga7We3n5NeB19X1pO0CLkeDpEFFmHz A6NJoTNm3JURkaU7PASMLZj+ZRv3qX5pB95z1GkNNWzVqJ18/7Ro+Nybc5W5LfwWyXIb PxqfFSZ2BOyAAFUWhAf+yilV2c0DWvpqRce48AOcOhiOIKeleDfVDCzAk8+a73RBBzwX YCSk6H4An3koVXtGZQoyFmnS/Mor+UJBlx/GIDLA5L2nOwm60ZNKp81mpv0lWyE9/LEg jTbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to:arc-authentication-results; bh=XFrrY42M3bNdyYajrdrtfSjksneM16kI6XOsP+tZD7k=; b=wTtrr4FrLcz92+4RdIEUwrZHpB+FAJxGi+0bnLfd6qGlRbWV+qCnKltva7Zt6e1DpF TDmiSoWppbpeYeYw9PuF4h5RPYFxnBL0YRx9sLXj07hAiuCvdrv6nxHeZGWKWXEvqMgc 3KzkjAJmS1HD49HGBwP/mFgEMiZfLx0rm5tDYQFV3yqz74qP6BZDW/VTDIdayBTN4VJB Je+aEOH7AYm/Lbs2hMSeyMHD2/9bqzBkty6AlDtS10EgrViWt3bXJuoguIQGgPrh+QNK NjK4awlOPm+kwnWeFPIAQRHNS7WEObpCOmNf6JTSkiNDaSZ9TWEOrmmbnI1G5ndXCtki Gf+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.b=tb36nhQa; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 6si1138637wrm.62.2017.07.24.05.29.17; Mon, 24 Jul 2017 05:29:18 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.b=tb36nhQa; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B7383689995; Mon, 24 Jul 2017 15:28:57 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-lf0-f42.google.com (mail-lf0-f42.google.com [209.85.215.42]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DE5F8688395 for ; Mon, 24 Jul 2017 15:28:51 +0300 (EEST) Received: by mail-lf0-f42.google.com with SMTP id g25so39854909lfh.1 for ; Mon, 24 Jul 2017 05:29:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references; bh=NB9si0Bfnjq5GhJUmqCZVLAF3qoNIn0+rf/cv5sOzOA=; b=tb36nhQasDyrmbWEUhaEIQTszRr/xZ9jwhqpNMxBeNlzPhuokS9iY8Vp4uRMYpAgiq BTM9N6yWxdaUoyA1I4EUgkahujVYXpaXSKxstxyOk2rpa15y3vXcf1ZiVsyftQhrZNiT HQqZga2M1jPQz3X/5LUBaH6+FY6qeuWQPte58ugvHoqIhpK2SDEHipuT1aWpYMgxEtbV f9eXgjaWIYinz81qfhLGRa3NgXhnTCHMXLu65qVkOfUX2bTT/otyIgjiotPs9JQAuhIL H1nG7tUaOLZo+icGIdxvvKDTP30oxoCzb82Oujg+7rNphmsZvyT0RRnz7TtOBXipVhl3 CLnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=NB9si0Bfnjq5GhJUmqCZVLAF3qoNIn0+rf/cv5sOzOA=; b=c+QEYcp2a3oXjNIv5qm4bGUfFasvX7J38xoGUu85Sh5BVZAM8Z+/v8+JCnTSM88c9j RWIX4DSWfVqMIAsoAOCxKL2ZwtRnkC+HDCAEgxnwly61xNYSNBq2NNAfJSvG3w4SBttn F8A9iHWVkIce+NUqWVvMKZDbysDRGfqm+HxH/Na5dsiRdKVn96tlBWmFRYZZWppavqx7 dhFlysz7lveBvGZerUfKWp00hs1Z68s39E9oCYSRlfW4UPg0pTtVVUwdtIU5ndj3JJiy Kc/Vge8NzsfHlt6D8yi6h9SX4X0zM6GYXEdb/joPPbZYoMHDjzzZm/CsgiQ1L6Es/Fpm iH1A== X-Gm-Message-State: AIVw1116TcPbgXQsFxlkYxczP7eRM8n8tnt2nZoucAYSzz6bCkSxhD3C 0M71csJtgtfxS87+ X-Received: by 10.46.5.141 with SMTP id 135mr5829530ljf.95.1500899340709; Mon, 24 Jul 2017 05:29:00 -0700 (PDT) Received: from foohost.foodomain ([2001:470:28:661::4]) by smtp.gmail.com with ESMTPSA id v25sm875162lja.11.2017.07.24.05.28.59 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Jul 2017 05:29:00 -0700 (PDT) From: foo86 To: ffmpeg-devel@ffmpeg.org Date: Mon, 24 Jul 2017 15:27:05 +0300 Message-Id: <20170724122706.3368-2-foobaz86@gmail.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170724122706.3368-1-foobaz86@gmail.com> References: <20170724122706.3368-1-foobaz86@gmail.com> Subject: [FFmpeg-devel] [PATCH 2/3] avcodec/dolby_e: fix potentially undefined pointer arithmetic X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Avoid undefined behavior in skip_input() by checking that enough data is available before incrementing input pointer. Check return values of parse_key() and skip_input() and exit early with error if there is not enough data. --- libavcodec/dolby_e.c | 45 ++++++++++++++++++++++++++++----------------- 1 file changed, 28 insertions(+), 17 deletions(-) diff --git a/libavcodec/dolby_e.c b/libavcodec/dolby_e.c index f811db4d8e..91a00ce878 100644 --- a/libavcodec/dolby_e.c +++ b/libavcodec/dolby_e.c @@ -28,21 +28,28 @@ #include "dolby_e.h" #include "fft.h" -static void skip_input(DBEContext *s, int nb_words) +static int skip_input(DBEContext *s, int nb_words) { + if (nb_words > s->input_size) { + av_log(s->avctx, AV_LOG_ERROR, "Packet too short\n"); + return AVERROR_INVALIDDATA; + } + s->input += nb_words * s->word_bytes; s->input_size -= nb_words; + return 0; } static int parse_key(DBEContext *s) { - int key = 0; - - if (s->key_present && s->input_size > 0) - key = AV_RB24(s->input) >> 24 - s->word_bits; - - skip_input(s, s->key_present); - return key; + if (s->key_present) { + uint8_t *key = s->input; + int ret = skip_input(s, 1); + if (ret < 0) + return ret; + return AV_RB24(key) >> 24 - s->word_bits; + } + return 0; } static int convert_input(DBEContext *s, int nb_words, int key) @@ -83,8 +90,10 @@ static int convert_input(DBEContext *s, int nb_words, int key) static int parse_metadata(DBEContext *s) { - int i, ret, key = parse_key(s), mtd_size; + int i, ret, key, mtd_size; + if ((key = parse_key(s)) < 0) + return key; if ((ret = convert_input(s, 1, key)) < 0) return ret; @@ -135,14 +144,13 @@ static int parse_metadata(DBEContext *s) return AVERROR_INVALIDDATA; } - skip_input(s, mtd_size + 1); - return 0; + return skip_input(s, mtd_size + 1); } static int parse_metadata_ext(DBEContext *s) { if (s->mtd_ext_size) - skip_input(s, s->key_present + s->mtd_ext_size + 1); + return skip_input(s, s->key_present + s->mtd_ext_size + 1); return 0; } @@ -455,7 +463,10 @@ static int parse_channel(DBEContext *s, int ch, int seg_id) static int parse_audio(DBEContext *s, int start, int end, int seg_id) { - int ch, ret, key = parse_key(s); + int ch, ret, key; + + if ((key = parse_key(s)) < 0) + return key; for (ch = start; ch < end; ch++) { if (!s->ch_size[ch]) { @@ -469,17 +480,17 @@ static int parse_audio(DBEContext *s, int start, int end, int seg_id) return ret; s->channels[seg_id][ch].nb_groups = 0; } - skip_input(s, s->ch_size[ch]); + if ((ret = skip_input(s, s->ch_size[ch])) < 0) + return ret; } - skip_input(s, 1); - return 0; + return skip_input(s, 1); } static int parse_meter(DBEContext *s) { if (s->meter_size) - skip_input(s, s->key_present + s->meter_size + 1); + return skip_input(s, s->key_present + s->meter_size + 1); return 0; }