From patchwork Sun Nov 26 15:32:30 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: John Stebbins <jstebbins@jetheaddev.com>
X-Patchwork-Id: 6365
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.2.161.94 with SMTP id m30csp635283jah;
	Sun, 26 Nov 2017 07:32:42 -0800 (PST)
X-Google-Smtp-Source: 
 AGs4zMZeYISqMCfZVloyIfmWU9XtDYe/4ozki191hhQc6oCllmDNbIj8H8b+rrmqglsAGg0XH3Iv
X-Received: by 10.223.196.247 with SMTP id
	o52mr29368900wrf.119.1511710362310;
	Sun, 26 Nov 2017 07:32:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511710362; cv=none;
	d=google.com; s=arc-20160816;
	b=omKuCM0r73DiBZiuYq4GHSWWGyPp1lysOeKi23j+kDhT2qFWclgw+omWKcSg1cF4vs
	nBgCB+kDIJFGfFJrm339+YYsdZVJD9kShyN80+3GgAgHHRghH2Z6BRwz2novLO9m+kvb
	RaoMcG356fTmgvRcDuPUZ9djSrkW2vNZ/wSLj/cVOIQ0+TVCrEqcVDKaMnJAMUAwW1DV
	arh9VadAIIltOtGh7XfphCFLoENADLttx89ZZMl0XfZ6lqK4e0ZwUr0aJ1DhBjdokUzv
	0W/gfZa0MFh1qRutK7tqrxReWykkTXDfHurBDaly4Xd0XPVedd3LS2yZhAVOQn22xVHh
	usSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
	:list-help:list-post:list-archive:list-unsubscribe:list-id
	:precedence:subject:mime-version:message-id:date:to:from
	:delivered-to:arc-authentication-results;
	bh=BlOLwzQbl7hr3pHRMhh4W0IMJ+CDu36kNuUD54ZqVsk=;
	b=yKcOjvIXtlOL0yLU0mz1HgefTtLOMohf8J5XYnX3IrO3LUBg95bXziLM4ykAua/IOh
	CQE7IiLtGPbkhym7nAPTQ+gqN/LI61aHf/jZwR6ZDloU+bAM+hmt8vtUgrMcv+L/57EU
	3Uu0i5WJRKaCkWdSgYsCANDj9z+QJUE0rF90WGBFc8TKlBFEX5QNx27wdzFlJrw4Rqz6
	vyN+87kyg75QrScLKGEL1m6OFQf63klrQ75u8XW7Wmnj/ForS4kQ2adSsaESKosvvOY/
	k9Mp5R6RyYrDEdWzLkjSNaTcZOERgbRvGygZmkKuXJXJ6rzUxW6HheFnQ1PbQvABWF64
	//LQ==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id c4si4849949wrd.327.2017.11.26.07.32.41;
	Sun, 26 Nov 2017 07:32:42 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E1B3268A362;
	Sun, 26 Nov 2017 17:32:38 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail.jetheaddev.com (mail.jetheaddev.com [70.164.99.34])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6B04F68A246
	for <ffmpeg-devel@ffmpeg.org>; Sun, 26 Nov 2017 17:32:32 +0200 (EET)
Received: from dionysus.jetheaddev.com (10.13.12.63) by cas.jetheaddev.com
	(192.168.13.27) with Microsoft SMTP Server (TLS) id 14.3.351.0;
	Sun, 26 Nov 2017 07:32:32 -0800
Received: from dionysus.jetheaddev.com (localhost [127.0.0.1])	by
	dionysus.jetheaddev.com (8.15.2/8.14.7) with ESMTP id
	vAQFWWB9012340	for
	<ffmpeg-devel@ffmpeg.org>; Sun, 26 Nov 2017 07:32:32 -0800
Received: (from jstebbins@localhost)	by dionysus.jetheaddev.com
	(8.15.2/8.15.2/Submit) id vAQFWV3R012339	for ffmpeg-devel@ffmpeg.org;
	Sun, 26 Nov 2017 07:32:31 -0800
From: John Stebbins <jstebbins@jetheaddev.com>
To: <ffmpeg-devel@ffmpeg.org>
Date: Sun, 26 Nov 2017 07:32:30 -0800
Message-ID: <20171126153230.12293-1-jstebbins@jetheaddev.com>
X-Mailer: git-send-email 2.14.3
MIME-Version: 1.0
X-Originating-IP: [10.13.12.63]
Subject: [FFmpeg-devel] [PATCH] lavf/mov: fix huge alloc in mov_read_ctts
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

An invalid file may cause huge alloc.  Delay expansion of ctts entries
until the number of samples is known in mov_build_index.

Found-by: zhao dongzhuo, AD-lab of Venustech
---
 libavformat/mov.c | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index ddb1e59b85..7a7fd13099 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2896,7 +2896,7 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 {
     AVStream *st;
     MOVStreamContext *sc;
-    unsigned int i, j, entries, ctts_count = 0;
+    unsigned int i, entries, ctts_count = 0;
 
     if (c->fc->nb_streams < 1)
         return 0;
@@ -2929,9 +2929,8 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
             continue;
         }
 
-        /* Expand entries such that we have a 1-1 mapping with samples. */
-        for (j = 0; j < count; j++)
-            add_ctts_entry(&sc->ctts_data, &ctts_count, &sc->ctts_allocated_size, 1, duration);
+        add_ctts_entry(&sc->ctts_data, &ctts_count, &sc->ctts_allocated_size,
+                       count, duration);
 
         av_log(c->fc, AV_LOG_TRACE, "count=%d, duration=%d\n",
                 count, duration);
@@ -3580,6 +3579,8 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
     unsigned int stps_index = 0;
     unsigned int i, j;
     uint64_t stream_size = 0;
+    MOVStts *ctts_data_old = sc->ctts_data;
+    unsigned int ctts_count_old = sc->ctts_count;
 
     if (sc->elst_count) {
         int i, edit_start_index = 0, multiple_edits = 0;
@@ -3648,6 +3649,28 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
         }
         st->index_entries_allocated_size = (st->nb_index_entries + sc->sample_count) * sizeof(*st->index_entries);
 
+        if (ctts_data_old) {
+            // Expand ctts entries such that we have a 1-1 mapping with samples
+            if (sc->sample_count >= UINT_MAX / sizeof(*sc->ctts_data))
+                return;
+            sc->ctts_count = 0;
+            sc->ctts_allocated_size = 0;
+            sc->ctts_data = av_fast_realloc(NULL, &sc->ctts_allocated_size,
+                                    sc->sample_count * sizeof(*sc->ctts_data));
+            if (!sc->ctts_data) {
+                av_free(ctts_data_old);
+                return;
+            }
+            for (i = 0; i < ctts_count_old &&
+                        sc->ctts_count < sc->sample_count; i++)
+                for (j = 0; j < ctts_data_old[i].count &&
+                            sc->ctts_count < sc->sample_count; j++)
+                    add_ctts_entry(&sc->ctts_data, &sc->ctts_count,
+                                   &sc->ctts_allocated_size, 1,
+                                   ctts_data_old[i].duration);
+            av_free(ctts_data_old);
+        }
+
         for (i = 0; i < sc->chunk_count; i++) {
             int64_t next_offset = i+1 < sc->chunk_count ? sc->chunk_offsets[i+1] : INT64_MAX;
             current_offset = sc->chunk_offsets[i];