From patchwork Thu Aug 24 23:15:28 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 4828
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.2.15.201 with SMTP id 70csp29031jao;
	Thu, 24 Aug 2017 16:16:18 -0700 (PDT)
X-Received: by 10.28.71.219 with SMTP id m88mr150202wmi.190.1503616578449;
	Thu, 24 Aug 2017 16:16:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1503616578; cv=none;
	d=google.com; s=arc-20160816;
	b=f5bOVs9Nb3EUsGalvWhJnXM/WJiJCvYnrDuwSeBrjtbznGI4NwA8ixMax173B1RPlv
	uEN0dvtqzOmzi4lRkjXsRxrMCfERVBE6+YBhPsIjZXSLSfsVycQLkFcvXpkzuTiTDcnH
	wBBlZqhyFE5kRYV5XST9UO5fo7jRfka3Oy1CyBc62mvpUyc1CpzhslNEKP2C1xVUWmG1
	HDeYhROwmy8GkRPnG4DegEOSrw+XyXpUbFi6TxTobEFyCWQSVyuhFxlG2V+ZOk4V37WH
	gg6YOs7lkzi6elSOi43K4egzzlDSGjbtOZMkO3HgdFZcSdh6f7EgshhGyexsxdMSLq8m
	e5WQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:cc:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:mime-version:references:in-reply-to
	:message-id:date:to:from:delivered-to:arc-authentication-results;
	bh=0006EPDGx98Cv+J9Orcz5mGSSb5n8fNpnfp4SkyJBGU=;
	b=UkaQEZgV1fGxRO9GDFyF5vGID/V+zBXdwVhivsZ90Jequ+84Xn6S67KEfQl2BzB8t9
	RACTcsxSzL2uv65cv0/gnhIFudqckcO481aMb7B+Zv81c8zd4IEpegPc8TBFRQQvWhYv
	/YEzprCg9pbL7Y/qcHw9WC+j+RetwQfMphCo6t+rV7SXr06C0Begdbroh1iB0TWNXKAb
	CmEsUXcsA2uXKJzahd11WyLGy44OReZI5mBwSP/1F8wXBkoIOIY6WagQ64/JikzF39X2
	kCn9bSoHg/lZKB6vAOju/+QnyWGMl+zqTK9X6j1T60ncKqyUmPA19H2oGnHRh7EtzW1s
	3Smw==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	l14si4177092wrg.138.2017.08.24.16.16.17;
	Thu, 24 Aug 2017 16:16:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 197CB6898EF;
	Fri, 25 Aug 2017 02:15:42 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-qmta-pe02-3.mx.upcmail.net
	(vie01a-qmta-pe02-3.mx.upcmail.net [62.179.121.183])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C306B689753
	for <ffmpeg-devel@ffmpeg.org>; Fri, 25 Aug 2017 02:15:35 +0300 (EEST)
Received: from [172.31.218.37] (helo=vie01a-dmta-pe03-1.mx.upcmail.net)
	by vie01a-pqmta-pe02.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1dl1Lj-0002hj-OJ
	for ffmpeg-devel@ffmpeg.org; Fri, 25 Aug 2017 01:15:43 +0200
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1dl1Ld-0002DA-OP
	for ffmpeg-devel@ffmpeg.org; Fri, 25 Aug 2017 01:15:37 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id 1BFa1w01A0S5wYM01BFbcg; Fri, 25 Aug 2017 01:15:35 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri, 25 Aug 2017 01:15:28 +0200
Message-Id: <20170824231532.16002-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20170824231532.16002-1-michael@niedermayer.cc>
References: <20170824231532.16002-1-michael@niedermayer.cc>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 2/6] avformat/rmdec: Fix DoS due to lack of
	eof check
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
	=?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.shandwangchu.zhl@alibaba-inc.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

From: 孙浩 and 张洪亮(望初) <tony.sh and wangchu.zhl@alibaba-inc.com>

Fixes: loop.ivr

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rmdec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 178eaea57d..d6d7d9cd84 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -1223,8 +1223,11 @@ static int ivr_read_header(AVFormatContext *s)
             av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val);
         } else if (type == 4) {
             av_log(s, AV_LOG_DEBUG, "%s = '0x", key);
-            for (j = 0; j < len; j++)
+            for (j = 0; j < len; j++) {
+                if (avio_feof(pb))
+                    return AVERROR_INVALIDDATA;
                 av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb));
+            }
             av_log(s, AV_LOG_DEBUG, "'\n");
         } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) {
             nb_streams = value = avio_rb32(pb);