From patchwork Fri Jul 28 13:47:04 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 4494
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.1.76 with SMTP id 73csp385880vsb;
	Fri, 28 Jul 2017 06:47:21 -0700 (PDT)
X-Received: by 10.223.167.73 with SMTP id e9mr6020441wrd.205.1501249641852;
	Fri, 28 Jul 2017 06:47:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1501249641; cv=none;
	d=google.com; s=arc-20160816;
	b=tcr6igJJEIrh4TSvWGBNqN+6/IOBk400/VhAbSN3PHY1tRDzcpl64u1GlZqCMnwNg0
	yC4AxKqdxAMPeVqV01pA922kbR/qbZFhtYTx5/37Aaybn7B2iXweo+nbSruDxB4AqRg3
	fvEDzARgeosi+n68iaKqiSSo0NmAlkkKQyfgAqFCO7gpjecUdUFUUUpmKp6ZYNZDigu+
	ixWGDmq81MlpHb8Gg7oQP/4CbRwnGMzfY9coVi764cNZ8yt6EjoOe/Xc+EzOesb+Sgx9
	VH9ZiOYZJNUCndIZ+HKruuV2MMgW4QyCGIq0w6NSs+X73MbsCqEqa5ei5CXXcaTGFtyU
	O98Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:delivered-to
	:arc-authentication-results;
	bh=EUsg6/HCYgon4xZrqNCsGug0Xl1xor7A8Y2QayRB6nI=;
	b=FNDOz/Ch6PDyZoyc4SywD/Or2+LknQ/f9zMYU0QIHc7U6A+pJTX0e7dhvlbv5nWeBV
	HM76fKoGYEdYcXwcKlRPa/mBOKDHWL6WdTpVfhezZoVFmc1zCuXtHge1shEEuhCRcslL
	gfWFTgZxTtZQRSKyx6fiKPOiP+mfuWHJrPGUtX/479t4LRucU8FCoURoub6UZFpyLvy1
	dl+HgcjO8voyMAk/MPu9I2vS5pFuW2ug1XLQZumBWnomXHjzJPA5WKBw8dJfmg2GFTze
	5qwoLw6+oIN7Cknpx0IA8HBMOzNRX1yLyxPcN3SU6Kk4uMcnpPZcS8hRqfvl42HLm57K
	/4YA==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	j16si5500117wrb.220.2017.07.28.06.47.20;
	Fri, 28 Jul 2017 06:47:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D059D689B67;
	Fri, 28 Jul 2017 16:47:16 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe05-1.mx.upcmail.net
	(vie01a-dmta-pe06-1.mx.upcmail.net [84.116.36.14])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 93AEB68988C
	for <ffmpeg-devel@ffmpeg.org>; Fri, 28 Jul 2017 16:47:10 +0300 (EEST)
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1db5bj-0001YE-Ek
	for ffmpeg-devel@ffmpeg.org; Fri, 28 Jul 2017 15:47:11 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id qDn61v00F0S5wYM01Dn7Pt; Fri, 28 Jul 2017 15:47:07 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri, 28 Jul 2017 15:47:04 +0200
Message-Id: <20170728134705.20300-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.13.0
Subject: [FFmpeg-devel] [PATCH 1/2] avformat/rtmppkt: Convert
	ff_amf_tag_size() to bytestream2
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: out of array accesses
Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV

Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rtmppkt.c | 60 ++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 40 insertions(+), 20 deletions(-)

diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c
index 833a3dbade..752d92a42b 100644
--- a/libavformat/rtmppkt.c
+++ b/libavformat/rtmppkt.c
@@ -433,50 +433,70 @@ void ff_rtmp_packet_destroy(RTMPPacket *pkt)
     pkt->size = 0;
 }
 
-int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
+static int ff_amf_tag_skip(GetByteContext *gb)
 {
-    const uint8_t *base = data;
     AMFDataType type;
     unsigned nb   = -1;
     int parse_key = 1;
 
-    if (data >= data_end)
+    if (bytestream2_get_bytes_left(gb) < 1)
         return -1;
-    switch ((type = *data++)) {
-    case AMF_DATA_TYPE_NUMBER:      return 9;
-    case AMF_DATA_TYPE_BOOL:        return 2;
-    case AMF_DATA_TYPE_STRING:      return 3 + AV_RB16(data);
-    case AMF_DATA_TYPE_LONG_STRING: return 5 + AV_RB32(data);
-    case AMF_DATA_TYPE_NULL:        return 1;
-    case AMF_DATA_TYPE_DATE:        return 11;
+
+    switch ((type = bytestream2_get_byte(gb))) {
+    case AMF_DATA_TYPE_NUMBER:      bytestream2_get_be64(gb); return 0;
+    case AMF_DATA_TYPE_BOOL:        bytestream2_get_byte(gb); return 0;
+    case AMF_DATA_TYPE_STRING:
+        bytestream2_skip(gb, bytestream2_get_be16(gb));
+        return 0;
+    case AMF_DATA_TYPE_LONG_STRING:
+        bytestream2_skip(gb, bytestream2_get_be32(gb));
+        return 0;
+    case AMF_DATA_TYPE_NULL:        return 0;
+    case AMF_DATA_TYPE_DATE:        bytestream2_skip(gb, 10); return 0;
     case AMF_DATA_TYPE_ARRAY:
         parse_key = 0;
     case AMF_DATA_TYPE_MIXEDARRAY:
-        nb = bytestream_get_be32(&data);
+        nb = bytestream2_get_be32(gb);
     case AMF_DATA_TYPE_OBJECT:
         while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) {
             int t;
             if (parse_key) {
-                int size = bytestream_get_be16(&data);
+                int size = bytestream2_get_be16(gb);
                 if (!size) {
-                    data++;
+                    bytestream2_get_byte(gb);
                     break;
                 }
-                if (size < 0 || size >= data_end - data)
+                if (size < 0 || size >= bytestream2_get_bytes_left(gb))
                     return -1;
-                data += size;
+                bytestream2_skip(gb, size);
             }
-            t = ff_amf_tag_size(data, data_end);
-            if (t < 0 || t >= data_end - data)
+            t = ff_amf_tag_skip(gb);
+            if (t < 0 || bytestream2_get_bytes_left(gb) <= 0)
                 return -1;
-            data += t;
         }
-        return data - base;
-    case AMF_DATA_TYPE_OBJECT_END:  return 1;
+        return 0;
+    case AMF_DATA_TYPE_OBJECT_END:  return 0;
     default:                        return -1;
     }
 }
 
+int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end)
+{
+    GetByteContext gb;
+    int ret;
+
+    if (data >= data_end)
+        return -1;
+
+    bytestream2_init(&gb, data, data_end - data);
+
+    ret = ff_amf_tag_skip(&gb);
+    if (ret < 0 || bytestream2_get_bytes_left(&gb) <= 0)
+        return -1;
+    av_assert0(bytestream2_tell(&gb) >= 0 && bytestream2_tell(&gb) <= data_end - data);
+    return bytestream2_tell(&gb);
+}
+
 int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end,
                            const uint8_t *name, uint8_t *dst, int dst_size)
 {