From patchwork Sun Jan  7 02:15:19 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 7174
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.2.78.2 with SMTP id r2csp1118250jaa;
	Sat, 6 Jan 2018 18:26:37 -0800 (PST)
X-Google-Smtp-Source: 
 ACJfBouXv93MCf80XmvfDfUvjA2YTyfkpqQzh1VltQPc9EGffRxWk9t8yKzt+feXuGHhq9XVYMUL
X-Received: by 10.223.152.129 with SMTP id w1mr6936466wrb.282.1515291997636;
	Sat, 06 Jan 2018 18:26:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1515291997; cv=none;
	d=google.com; s=arc-20160816;
	b=SR1mUQomEmt1O17m3oYcWjYPz+UuQ1A4VE+ovfDOMUvep6OY0wkPnrOBR23TvLycXP
	ns90ZLiiX7YvZL+Hkj54hmmiIE1FZ7rfMAzgq+drDpdZHDpSSK6uWqfsXtnbzkeug7pl
	Sxw0nX70vZvxMtExl3UaDg1isDRN6/Fo5//n64DuY8kosypoCvtZ80e1+K9DgWRAH5EP
	iq/dHAdQITb4OOaJOODcCO/npUPNEfrHn7gOKnv7GqzNa796yWzDROEHb/DiJD7yHuga
	oNlh+skrUj0VSavKqQfhDxDKdUq/E7cTYb+16GSg3Y4p5C40oyJVyIutoUtYrVvcE/7B
	kTPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:delivered-to
	:arc-authentication-results;
	bh=18C3Lh2v0timbRZSGlZ3G0XO8c9wG61AyDxAmgHkvCM=;
	b=ZN0WRYdpLKXKjY6Mbojy1ekrwf5Ao6yK2pfOVFjJR/dBh2kxHmRPlP38s/k6s6Lstz
	nW1L4pGBguOmXnLjXQ0n8PA38/I8+9S49EpT3JO1Dgo7PsfbPUJaPCotSo/gabeETXFB
	QAODiOmPSBnHd8P4TFB7LCyrwbEE1NvINXfqh9OfQV5EU5j5WTShMU6yFl2JHmQpw5ks
	ztJeVzG6hVolByNriLGVotkFKiMdKg+kBYcHFQwLxx0p9hQK4c+6V3JI6o0k0nGqEHB5
	7ZmSKbYa76w9eI4rLvsHXvr6buC7txkcEEXKA4/YKMYv+9YuJ82TLA+heVf6GVls0ssb
	Jb0w==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id m5si6746708wrh.21.2018.01.06.18.26.37;
	Sat, 06 Jan 2018 18:26:37 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7F20D689D4F;
	Sun,  7 Jan 2018 04:26:35 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-qmta-pe02-2.mx.upcmail.net
	(vie01a-qmta-pe02-2.mx.upcmail.net [62.179.121.182])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 17B5B688387
	for <ffmpeg-devel@ffmpeg.org>; Sun,  7 Jan 2018 04:26:29 +0200 (EET)
Received: from [172.31.218.35] (helo=vie01a-dmta-pe02-2.mx.upcmail.net)
	by vie01a-pqmta-pe02.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1eY0Uk-00052X-9P
	for ffmpeg-devel@ffmpeg.org; Sun, 07 Jan 2018 03:15:30 +0100
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe02.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1eY0Ue-0001JM-FF
	for ffmpeg-devel@ffmpeg.org; Sun, 07 Jan 2018 03:15:24 +0100
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id vEFL1w0040S5wYM01EFMn4; Sun, 07 Jan 2018 03:15:21 +0100
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun,  7 Jan 2018 03:15:19 +0100
Message-Id: <20180107021519.22720-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.15.1
Subject: [FFmpeg-devel] [PATCH] avcodec/opus_parser: Check payload_len in
	parse_opus_ts_header()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: clusterfuzz-testcase-minimized-6134545979277312
Fixes: crbug 797469

Reported-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/opus_parser.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/libavcodec/opus_parser.c b/libavcodec/opus_parser.c
index 893573eb82..28b0933900 100644
--- a/libavcodec/opus_parser.c
+++ b/libavcodec/opus_parser.c
@@ -43,6 +43,7 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le
     const uint8_t *buf = start + 1;
     int start_trim_flag, end_trim_flag, control_extension_flag, control_extension_length;
     uint8_t flags;
+    uint64_t payload_len_tmp;
 
     GetByteContext gb;
     bytestream2_init(&gb, buf, buf_len);
@@ -52,11 +53,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le
     end_trim_flag          = (flags >> 3) & 1;
     control_extension_flag = (flags >> 2) & 1;
 
-    *payload_len = 0;
+    payload_len_tmp = *payload_len = 0;
     while (bytestream2_peek_byte(&gb) == 0xff)
-        *payload_len += bytestream2_get_byte(&gb);
+        payload_len_tmp += bytestream2_get_byte(&gb);
 
-    *payload_len += bytestream2_get_byte(&gb);
+    payload_len_tmp += bytestream2_get_byte(&gb);
 
     if (start_trim_flag)
         bytestream2_skip(&gb, 2);
@@ -67,6 +68,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le
         bytestream2_skip(&gb, control_extension_length);
     }
 
+    if (bytestream2_tell(&gb) + payload_len_tmp > buf_len)
+        return NULL;
+
+    *payload_len = payload_len_tmp;
+
     return buf + bytestream2_tell(&gb);
 }
 
@@ -104,6 +110,10 @@ static int opus_find_frame_end(AVCodecParserContext *ctx, AVCodecContext *avctx,
             state = (state << 8) | payload[i];
             if ((state & OPUS_TS_MASK) == OPUS_TS_HEADER) {
                 payload = parse_opus_ts_header(payload, &payload_len, buf_size - i);
+                if (!payload) {
+                    av_log(avctx, AV_LOG_ERROR, "Error parsing Ogg TS header.\n");
+                    return AVERROR_INVALIDDATA;
+                }
                 *header_len = payload - buf;
                 start_found = 1;
                 break;