From patchwork Tue Sep  5 00:55:26 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 4987
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.2.15.201 with SMTP id 70csp3613803jao;
	Mon, 4 Sep 2017 17:55:40 -0700 (PDT)
X-Google-Smtp-Source: 
 ADKCNb4Sy5eSthHDsczscuNNrRlpKx5vrXdCp3nXHXy7gjVU2UGNDuQrreJrcuc97QbH6aId7cGF
X-Received: by 10.28.133.195 with SMTP id h186mr1302156wmd.18.1504572940107;
	Mon, 04 Sep 2017 17:55:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1504572940; cv=none;
	d=google.com; s=arc-20160816;
	b=wfZFKvGFBj4ubAxq2Q2+oiYc+zBK5wVoiDLjwNTvz5PeM9v1pWJi4zmhXOYJ1oQFo9
	7Ag7b2hhnBqP89t5OKgulxcYRLPS8bpQwkWTM7/2+O6DnktA1OcWv8qgVmvXvkwmtxHu
	k9eXRTcD4h65nqvfzBuprqgFEnebfAqcbP8YTMCEnjpTxdnqVY8yBQeLder6woFDIEqh
	V+JPkbqWjmn4MWAYmj6FEwxQIP9KAuujuE59W1Vm5ple7Y0UmVUlgcP8S4iCC/hHj4yB
	S5YEFSyVwAMX807/gZqPxTzCcECIWK7z+vN1VV2ZtaBWLm0hpdOQ6X9w4rG9thKvGM3I
	APbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:references:in-reply-to:message-id:date
	:to:from:delivered-to:arc-authentication-results;
	bh=jlancDP54gw8UOc5Wux4zv9WEyKg+7Z6hDkLdDJLM1I=;
	b=U1hYOZEmMGNYDXdlUTBz0Dgr0T16X9brU7okZUCUfkijXXiBAR12p4QXjWa60nfmA4
	q873ioeW3herMpCnbE4yE69aTshaZPc3Qzo85KlQxs+uPkjjK5erUjY/GsfXhdIy5Cvd
	EUx68s1rhecST5lvrEj9JyzHCCb9dO1r3bzrXZs5Kmzl75XsPl3zHNtNtAF19taWyNmn
	Fgl4EGyz4hErJYQyBRMhusvFlO4UY8jLfP0/NLd/dvQnwmDk4K+XAnXsvaIeyRT9dplX
	8latTiinleHDmeM1LB/7A2eb3p209PhT+9fC0kOy2MqP5qix8H630FROhcKaIqrrFhJ7
	lhdQ==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id u8si6253151wre.184.2017.09.04.17.55.39;
	Mon, 04 Sep 2017 17:55:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3D0F168A15C;
	Tue,  5 Sep 2017 03:55:35 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe05-3.mx.upcmail.net
	(vie01a-dmta-pe05-3.mx.upcmail.net [84.116.36.13])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 69059689D39
	for <ffmpeg-devel@ffmpeg.org>; Tue,  5 Sep 2017 03:55:28 +0300 (EEST)
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1dp29K-00088n-OO
	for ffmpeg-devel@ffmpeg.org; Tue, 05 Sep 2017 02:55:30 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id 5cvU1w0130S5wYM01cvVlG; Tue, 05 Sep 2017 02:55:29 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue,  5 Sep 2017 02:55:26 +0200
Message-Id: <20170905005526.19078-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20170905005526.19078-1-michael@niedermayer.cc>
References: <20170905005526.19078-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 2/2] avformat/asfdec: Fix DoS in
	asf_build_simple_index()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: Missing EOF check in loop
No testcase

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/asfdec_f.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index f3acbae280..cc648b9a2f 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -1610,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index)
             int64_t pos       = s->internal->data_offset + s->packet_size * (int64_t)pktnum;
             int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0);
 
+            if (avio_feof(s->pb)) {
+                ret = AVERROR_INVALIDDATA;
+                goto end;
+            }
+
             if (pos != last_pos) {
                 av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d  pts: %"PRId64"\n",
                        pktnum, pktct, index_pts);