From patchwork Sat Nov 25 20:11:26 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Stebbins <jstebbins@jetheaddev.com>
X-Patchwork-Id: 6359
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.2.161.94 with SMTP id m30csp3814529jah;
	Sat, 25 Nov 2017 12:11:39 -0800 (PST)
X-Google-Smtp-Source: 
 AGs4zMY91teCWkDHdhvJkMsDPTWyu5Yy8k2eEhBuyNN1evDVOJ5tTtWqRCdzfF3JPekklB4TY4kL
X-Received: by 10.28.209.77 with SMTP id i74mr13230931wmg.53.1511640699863;
	Sat, 25 Nov 2017 12:11:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511640699; cv=none;
	d=google.com; s=arc-20160816;
	b=p9DQgX6ilphmmucRnFNinWn6ekoxZFE4jtoeX5Yyf65RNBeo1lQQ9Gac+BoZyThNFK
	s2jDa0eGUXFHRrjVe/iX6aFbW/PRkUJmVCCRHZsgykZPDZMBtpSjiddfVs4l4TZG/Ca3
	uEnSHE2Ym3Crgoti++gMj5BqC82QzLd+169EpJGOJZJQuZAmbm9fYtu8C1PR+9LBGiO7
	wDaex78DqX16JFw6+mM2QnSBh9dzvFan9QBO5dsjGCoIMPqOGMpXh1/BtTukSOnyT1xW
	cetLxZERw/b6ZfwSsHFuXi1y0EbpEU/UfQjPgalhVfO7Ai3s6t4rBRiBn0uQLbeGgSw7
	yTHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
	:list-help:list-post:list-archive:list-unsubscribe:list-id
	:precedence:subject:mime-version:message-id:date:to:from
	:delivered-to:arc-authentication-results;
	bh=/1a86rfejy9j+MN7x3KO3G5jZ2orLsk8V8j8Jid4Dz8=;
	b=JbRG5eYbPCcptdDilOmsSXURMjLRoPq/XfbOc+hjD3+mnM/5F58ArLLVKMOw311+N8
	IaSEfm7tAVFCbsytC0qP3Zk9oVns9eDvaSvp8fze6iCmMjd/Cgu4U5nnVYpn9+jFQxlT
	kqwNR/c71xHX7auy9zIyELcFrSNUqFk/w+vdivNjGL+1FSLfIcXmfupgT1vMwUfows/5
	j8sGtMHEdkC+SM/FwIWm7OyEc8KFgHkZSNAHq/w4XpxfmxbpLm2eeY3NWCXEdq1AEJWp
	/54sSHTlZnVgxfPV7OTgJLahv0sIvIYFYNC70wLs7Es41cpuOhP4D90Yx2E6qMCBdRFD
	wBoA==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	y204si9405564wme.142.2017.11.25.12.11.39;
	Sat, 25 Nov 2017 12:11:39 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CA26F68A350;
	Sat, 25 Nov 2017 22:11:36 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail.jetheaddev.com (mail.jetheaddev.com [70.164.99.34])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 90AB168A2A9
	for <ffmpeg-devel@ffmpeg.org>; Sat, 25 Nov 2017 22:11:30 +0200 (EET)
Received: from dionysus.jetheaddev.com (10.13.12.63) by cas.jetheaddev.com
	(192.168.13.27) with Microsoft SMTP Server (TLS) id 14.3.351.0;
	Sat, 25 Nov 2017 12:11:29 -0800
Received: from dionysus.jetheaddev.com (localhost [127.0.0.1])	by
	dionysus.jetheaddev.com (8.15.2/8.14.7) with ESMTP id
	vAPKBTod004910	for
	<ffmpeg-devel@ffmpeg.org>; Sat, 25 Nov 2017 12:11:29 -0800
Received: (from jstebbins@localhost)	by dionysus.jetheaddev.com
	(8.15.2/8.15.2/Submit) id vAPKBS5u004909	for ffmpeg-devel@ffmpeg.org;
	Sat, 25 Nov 2017 12:11:28 -0800
From: John Stebbins <jstebbins@jetheaddev.com>
To: <ffmpeg-devel@ffmpeg.org>
Date: Sat, 25 Nov 2017 12:11:26 -0800
Message-ID: <20171125201126.4863-1-jstebbins@jetheaddev.com>
X-Mailer: git-send-email 2.14.3
MIME-Version: 1.0
X-Originating-IP: [10.13.12.63]
Subject: [FFmpeg-devel] [PATCH] lavf/mov: fix huge alloc in mov_read_ctts
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

An invalid file may cause huge alloc.  Delay expansion of ctts entries
until the number of samples is known in mov_build_index.
---
 libavformat/mov.c | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index ddb1e59b85..7a7fd13099 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2896,7 +2896,7 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 {
     AVStream *st;
     MOVStreamContext *sc;
-    unsigned int i, j, entries, ctts_count = 0;
+    unsigned int i, entries, ctts_count = 0;
 
     if (c->fc->nb_streams < 1)
         return 0;
@@ -2929,9 +2929,8 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
             continue;
         }
 
-        /* Expand entries such that we have a 1-1 mapping with samples. */
-        for (j = 0; j < count; j++)
-            add_ctts_entry(&sc->ctts_data, &ctts_count, &sc->ctts_allocated_size, 1, duration);
+        add_ctts_entry(&sc->ctts_data, &ctts_count, &sc->ctts_allocated_size,
+                       count, duration);
 
         av_log(c->fc, AV_LOG_TRACE, "count=%d, duration=%d\n",
                 count, duration);
@@ -3580,6 +3579,8 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
     unsigned int stps_index = 0;
     unsigned int i, j;
     uint64_t stream_size = 0;
+    MOVStts *ctts_data_old = sc->ctts_data;
+    unsigned int ctts_count_old = sc->ctts_count;
 
     if (sc->elst_count) {
         int i, edit_start_index = 0, multiple_edits = 0;
@@ -3648,6 +3649,28 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
         }
         st->index_entries_allocated_size = (st->nb_index_entries + sc->sample_count) * sizeof(*st->index_entries);
 
+        if (ctts_data_old) {
+            // Expand ctts entries such that we have a 1-1 mapping with samples
+            if (sc->sample_count >= UINT_MAX / sizeof(*sc->ctts_data))
+                return;
+            sc->ctts_count = 0;
+            sc->ctts_allocated_size = 0;
+            sc->ctts_data = av_fast_realloc(NULL, &sc->ctts_allocated_size,
+                                    sc->sample_count * sizeof(*sc->ctts_data));
+            if (!sc->ctts_data) {
+                av_free(ctts_data_old);
+                return;
+            }
+            for (i = 0; i < ctts_count_old &&
+                        sc->ctts_count < sc->sample_count; i++)
+                for (j = 0; j < ctts_data_old[i].count &&
+                            sc->ctts_count < sc->sample_count; j++)
+                    add_ctts_entry(&sc->ctts_data, &sc->ctts_count,
+                                   &sc->ctts_allocated_size, 1,
+                                   ctts_data_old[i].duration);
+            av_free(ctts_data_old);
+        }
+
         for (i = 0; i < sc->chunk_count; i++) {
             int64_t next_offset = i+1 < sc->chunk_count ? sc->chunk_offsets[i+1] : INT64_MAX;
             current_offset = sc->chunk_offsets[i];